fix CVE-2022-39028

(cherry picked from commit 05795c0b96687818fd4428ad9798737286981dd3)
2024-04-01 06:12:28 +00:00 · 2024-04-01 06:12:28 +00:00 · 19ea7a1c24
commit 19ea7a1c24
parent f66583b278
2 changed files with 56 additions and 1 deletions
--- a/backport-CVE-2022-39028.patch
+++ b/backport-CVE-2022-39028.patch
@ -0,0 +1,48 @@
+Description: Fix remote DoS vulnerability in inetutils-telnetd
+ This is caused by a crash by a NULL pointer dereference when sending the
+ byte sequences «0xff 0xf7» or «0xff 0xf8».
+Authors:
+ Pierre Kim (original patch),
+ Alexandre Torres (original patch),
+ Erik Auerswald <auerswal@unix-ag.uni-kl.de> (adapted patch),
+Reviewed-by: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
+Origin: upstream
+Ref: https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-netkit-telnetd-inetutils-telnetd-kerberos-telnetd.html
+Forwarded: https://lists.gnu.org/archive/html/bug-inetutils/2022-08/msg00002.html
+Last-Update: 2022-08-28
+
+---
+ telnetd/state.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/telnetd/state.c b/telnetd/state.c
+index 0dc61a2..befc9d0 100644
+--- a/telnetd/state.c
+++ b/telnetd/state.c
+@@ -206,12 +206,20 @@ void telrcv(void) {
+ 	      case EC:
+ 	      case EL:
+ 		 {
+-		     cc_t ch;
+		     cc_t ch = (cc_t) (_POSIX_VDISABLE);
+ 		     DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+ 		     ptyflush();	/* half-hearted */
+ 		     init_termbuf();
+-		     if (c == EC) ch = *slctab[SLC_EC].sptr;
+-		     else ch = *slctab[SLC_EL].sptr;
+		     if (c == EC) 
+		     {
+		         if (slctab[SLC_EC].sptr)
+				ch = *slctab[SLC_EC].sptr;
+		     }
+		     else
+		     {
+		         if (slctab[SLC_EL].sptr)
+				ch = *slctab[SLC_EL].sptr;
+		     }
+ 		     if (ch != (cc_t)(_POSIX_VDISABLE))
+ 			 *pfrontp++ = (unsigned char)ch;
+ 		     break;
+-- 
+2.33.0
+
--- a/telnet.spec
+++ b/telnet.spec
@ -1,7 +1,7 @@
 Name:             telnet
 Epoch:            1
 Version:          0.17
-Release:          79
+Release:          80
 Summary:          Client and Server programs for the Telnet communication protocol
 License:          BSD
 Url:              http://web.archive.org/web/20070819111735/www.hcs.harvard.edu/~dholland/computers/old-netkit.html
@ -37,6 +37,7 @@ Patch0024:        netkit-telnet-0.17-gcc7.patch
 Patch0025:        netkit-telnet-0.17-manpage.patch
 Patch0026:        netkit-telnet-0.17-telnetrc.patch
 Patch0027:        CVE-2020-10188.patch
+Patch0028:        backport-CVE-2022-39028.patch

 BuildRequires:    gcc-c++ ncurses-devel systemd
 Requires:         systemd
@ -100,6 +101,12 @@ install -pm644 %{SOURCE3} %{buildroot}%{_unitdir}/telnet.socket
 %{_mandir}/man1/telnet.1*

 %changelog
+* Mon Apr 01 2024 gaihuiying <eaglegai@163.com> - 1:0.17-80
+- Type:cves
+- CVE:CVE-2022-39028
+- SUG:NA
+- DESC:fix CVE-2022-39028
+
 * Wed Aug 30 2023 renyi <977713017@qq.com> - 1:0.17-79
 - Type:Feature
 - ID:NA